Hi All, I implemented a new exchange 2010 sp1 envoirment into a 2008 R2 domain. everything seems to be working correctly. I just have a few issues with warnings. To give some information, i am running Exchange inhouse. Clients (Outlook 2007/2010) connect using computername.domain.local I also have owa available for external use. This is over external.domain.com I also purchased a SSL Certificate for this domain and applied it. IE is showing it as valid. Now i have found 2 issues. 1 is dat my outlook clients get 2 warnings when they start up. Both saying the same computername.domain.local Information you Exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate first 2 are checked 3rd: The name of the security certificate is invalid or does not match the name of the site When i click the view certificate button i get to see the certificate for external.domain.com So how should i configure this situation. Making sure i dont get an error like this ? Since i can only link 1 certificate i dont know how to do this. my 2nd problem is that i get this error about every 30 minutes Microsoft Exchange could not find a certificate that contains the domain name computername.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default COMPUTERNAME with a FQDN parameter of computername.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key. When i do Get-ExchangeCertificate i see 5 lines tumb1 ...... CN=COMPUTERNAME tumb2 ...... CN=COMPUTERNAME tumb3 ...W.. CN=COMPUTERNAME tumb4 ...... CN=WMSvc-computername tumb5 IP.WS. CN=external.domain.com, OU.... etc.. What am i doing wrong, do i need to configure a different FQDN somewhere ? hope someone can help me here

What kind of certificate did you purchase? If it was a regular standard certificate then that is your problem. You should have purchased a unified communications (aka Subject Alternative Name) certificate. That would allow you to have all of the requires names for the correct operation of Exchange both internally and externally. mail.example.com (common name) autodiscover.example.com server server.example.local where example.com is your public domain name used in email addresses after the @ sign, example.local is the internal DNS name of your domain and server is the name of the Exchange server. While it is possible to use a single name SSL certificate, your external DNS provider MUST support SRV records (many do not) and you will have to implement a split DNS system to allow the external name to resolve internally. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Hi, Check the below Configuration is same as what you have done at your Environment, if not make correction and try again. Please test at any lab environment fisrt, it worked for me: Add digital certificates on the Client Access server For secure external access to Exchange, you'll need a digital certificate. This certificate will include an exportable private key in X.509 format (DER encoded binary or Base-64 encoded). We recommend you procure, import, and enable a Subject Alternative Name (SAN) certificate that contains the names for the current namespace, a legacy namespace, and the Autodiscover namespace. The names you need to include in your Exchange certificate are the fully qualified domain names (FQDNs) used by client applications to connect to Exchange. For example, a company named Contoso that uses contoso.com can use just three hostnames for all client connectivity within an Active Directory site: mail.contoso.com This name can cover nearly all client connections to Exchange, including Microsoft Office Outlook, Outlook Anywhere, offline address book (OAB) downloads (by Outlook), Exchange Web Services (for Outlook 2007 and later, and Entourage 2008), POP3, IMAP4, SMTP (both client and other SMTP server connections), Outlook Web App, the Exchange Control Panel, Exchange ActiveSync, and Unified Messaging. autodiscover.contoso.com This name is used for Autodiscover, which is used by Outlook 2007 and later, Outlook Anywhere, Exchange ActiveSync, Exchange Web Services clients, and Windows Mobile 6.1 and later. legacy.contoso.com This name is used to maintain Internet access to an older version of Exchange while you transition to Exchange 2010. This is necessary during transition because some Exchange services (for example, Outlook Web App, Exchange ActiveSync, and services that send configuration information through Autodiscover) tell clients to connect directly with the old Exchange servers if they see requests to access a mailbox on an older version of Exchange. In addition to these three names, your root domain (for example, contoso.com) will also be added as a name. There are three steps to adding certificates to your Client Access server(s): 1.If you don't already have a digital certificate, you can use the New Certificate Request Wizard in Exchange 2010 to generate a certificate request file, which you can then submit to your selected Certification Authority. 2.After you have the digital certificate from your Certification Authority, you then complete the certificate request process by importing the certificate into your Client Access server. 3.After the certificate has been imported, you assign one or more client access services to it. Before proceeding with these steps, we recommend that you review this topic: Understanding Digital Certificates and SSL In addition, the configuration settings used in the Exchange Deployment Assistant assume that you are using split DNS for client access. To learn more, see: Understanding DNS Requirements How do I create a certificate request file for a new certificate? You can use the New Exchange Certificate wizard to create your certificate request. 1.In the Console tree, click Server Configuration. 2.From the Actions pane, click New Exchange Certificate to open the New Exchange Certificate wizard. 3.On the Introduction page, enter a friendly name for the certificate (for example, Contoso.com Exchange certificate) and then click Next. 4.On the Domain Scope page, if you plan on using a wildcard certificate, check the box for Enable wildcard certificate, enter the root portion of your domain (for example contoso.com or *.contoso.com), and then click Next. If you're not using a wildcard certificate, just click Next. Note: It's a best practice to not use wildcard certificates because they represent a potential security risk. Like a SAN certificate, a wildcard certificate (for example, *.contoso.com) can support multiple names. There are security implications to consider because the certificate can be used for any sub-domain, including those outside the control of the actual domain owner. A more secure alternative is to list each of the required domains as Subject Alternative Names in the certificate. By default, this approach is used when certificate requests are generated by Exchange. 5.On the Exchange Configuration page, expand and configure each area as follows: a.Federated Sharing Federated Sharing allows you to enable users to share information with recipients in external federated organizations by creating organization relationships between two Exchange 2010 organizations, or using a sharing policy to allow users to create sharing relationships on an individual basis. If you plan on using this feature, expand Federated Sharing and select the Public certificate check box. b.Client Access server (Outlook Web App) Expand this option and select the check box(es) that are appropriate for your Outlook Web App usage (Intranet and/or Internet). If you're using Outlook Web App internally, then in the Domain name you use to access Outlook Web App internally field, remove the existing server names and enter the FQDN you configured for external access to the Client Access server during Setup of the Client Access server (for example, mail.contoso.com). This is the same FQDN that is listed in the domain name field for Outlook Web App on the Internet. c.Client Access server (Exchange ActiveSync) Exchange ActiveSync should already be selected and the domain name field should be configured with the same FQDN used for Outlook Web App. d.Client Access server (Web Services, Outlook Anywhere, and Autodiscover) Exchange Web Services, Outlook Anywhere, and Autodiscover on the Internet should already be selected. Outlook Anywhere should already be configured to use two FQDNs: one that is the same FQDN used by Outlook Web App (for example, mail.contoso.com) and one that is the root domain for that FQDN (for example, contoso.com). Autodiscover should already be configured to use a long URL, which should automatically be configured as autodiscover.rootdomain (for example, autodiscover.contoso.com). e.Client Access server (POP/IMAP) If you plan on using secure POP or secure IMAP internally or over the Internet, expand this option and select the appropriate check box. In the domain name field for each protocol, remove the individual server names and enter the same FQDN you're using for Outlook Web App. f.Unified Messaging server If you plan on using Unified Messaging (UM) features, you can use a certificate that is self-signed by an Exchange 2010 UM server (which is the default option). If you're integrating UM with Office Communications Server (OCS), you'll need to use a public certificate. We recommend using a separate certificate for UM and OCS integration. g.Hub Transport server Hub Transport servers can use certificates to secure Internet mail, as well as POP and IMAP client submission. If you plan on using mutual TLS or if you're using POP or IMAP clients and want to secure their SMTP submissions, select the appropriate check box and in the FQDN field, enter the same FQDN you're using for Outlook Web App. h.Legacy Exchange Server This option is used to add the legacy namespace to the certificate, which will be used only during the period of coexistence between Exchange 2010 and the legacy version(s). Expand this option, select the Use legacy domains check box, and in the FQDN field, enter the FQDN you are using for your legacy namespace. 6.On the Certificate Domains page, review the list of domains that will be added to the certificate. If the names are correct, click Next. If any names are missing or incorrect, you can click Add to add missing names, or select a name and click Edit to modify the name. Click Next. 7.On the Organization and Location page, fill in the Organization, Organization unit, Location, Country/region, City/locality, and State/province fields. Click Browse and browse to the location where you want the certificate request file created. In the File name field, enter a name for the request file (for example, Exchange Certificate Request.req) and click Save. Click Next. 8.On the Certificate Configuration page, review the configuration summary. If any changes need to be made, click Back, and make the necessary changes. If everything is correct, click New to generate the certificate request file. 9.On the Completion page, review the output of the wizard. Click Finish to close the wizard. 10.Transmit the certificate request file to your selected Certification Authority, who will then generate the certificate and transmit it to you. After you have the certificate file, you can use the Complete Pending Request wizard to import the certificate file into Exchange 2010. 11.In the Console tree, click Server Configuration. 12.In the Work pane, right-click the certificate request you created and click Complete Pending Request. 13.On the Introduction page, click Browse to select the certificate file provided to you by your selected Certification Authority. Enter the private key password for the certificate, and then click Complete. 14.On the Completion page, verify that the request completed successfully. Click Finish to close the Complete Pending Request wizard. How do I assign services to the certificate? You can use the Assign Services to Certificate wizard to assign the appropriate services to the imported certificate. 1.After the certificate has been successfully imported, you can assign services to it. Select the certificate in the Work pane, and then from the Actions pane, click Assign Services to Certificate to open the Assign Services to Certificate wizard. 2.On the Select Servers page, the Exchange server into which you imported the certificate is shown. Click Next. 3.On the Select Services page, select the check box for each service you want assigned to the selected certificate and then click Next. For example, select the check box for Internet Information Services (IIS) to assign services for Outlook Web App, Exchange ActiveSync, and other Exchange services that are integrated with IIS. 4.On the Assign Services page, review the configuration summary. If any changes need to be made, click Back. If the configuration summary is correct, click Assign to assign the specified services to the selected certificate. 5.On the Completion page, verify that each step completed successfully. Click Finish to close the wizard. How do I install the certificate on the legacy Exchange Server? In addition to installing the SSL certificate on the Exchange 2010 Client Access server, you'll also need to install the certificate on the Exchange 2007 Client Access server or the Exchange 2003 server so that users with mailboxes on Exchange 2007 or Exchange 2003 can use SSL to connect to their mailboxes. Note: If you'll be moving all mailboxes from Exchange 2003 or Exchange 2007 to Exchange 2010 over a short period of downtime, such as a weekend, you can skip these steps. Before you install the digital certificate on the legacy Exchange server you must first export it from the Exchange 2010 Client Access server. To export your digital certificate, use the following steps. 1.Export the digital certificate to the variable $file using the following command. Copy $file = Export-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -BinaryEncoded:$true -Password (Get-Credential).password 2.The following command uses the Set-Content cmdlet to write data stored in the variable $file to the file htcert.pfx. Copy Set-Content -Path "c:\certificates\htcert.pfx" -Value $file.FileData -Encoding Byte To install a digital certificate on an Exchange 2003 server, use the following steps. 1.Copy the exported certificate to a location that can be accessed from the Exchange 2003 server. 2.Right-click the .pfx file, and choose Install PFX. 3.After the Certificate Import Wizard launches, click Next twice to access the Password page. 4.Type the password for the private key in the Password field, and then click Next. 5.Select Automatically select the certificate store based on the type of certificate, click Next, and then click Finish. To install a digital certificate on an Exchange 2007 server, use the following steps. 1.Copy the exported certificate to a location that can be accessed from the Exchange 2007 server. 2.Using the Exchange Management Shell run the following command. Copy Import-ExchangeCertificate -Path c:\certificates\import.pfx -Password:(Get-Credential).password How do I know this worked? The successful completion of the New Exchange Certificate, Complete Pending Request, and Assign Services to Certificate wizards will be your first indication that the certificate request, import, and assignment worked as expected. To further verify that your certificate was imported and assigned correctly, you can perform the following steps from the Exchange 2010 Client Access server computer. 1.In the Console tree, click Server Configuration. 2.In the Result pane, select the server that contains the certificate, and then in the Work pane, select the certificate you want to view. 3.From the Actions pane, click Open. You can view information about the certificate on the General, Details, and Certification Path pages of the Exchange Certificate dialog box. Ravi | Messaging Specialist. This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks both for the information i indeed purchased the wrong certificate. I will go for this certificate: http://www.comodo.com/e-commerce/ssl-certificates/exchange-ssl.php i asume this is the correct one to purchase. I must list the domains i want to use

Hi, As Simon said, the warnings and error you got are caused by your certificate does not contain all of the requires names for the correct operation of Exchange. Microsoft Exchange could not find a certificate that contains the domain name computername.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default COMPUTERNAME with a FQDN parameter of computername.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key. More information about this error, please see the following KB article. http://support.microsoft.com/kb/555855Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT

Yes i think i understand now, so to confirm. If i purchase the certificate i linked above your post. that should work if i include external.domain.com, autodiscover.domain.com and computername.domain.local ? Please confirm

The list that you have included is correct. I also tend to include the server's NETBIOS name as well. So the full list is mail.example.com autodiscover.example.com server.example.local server Use the SSL wizard in the management console to generate the request and import the response. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.